Marks & Spencer’s bosses have not often enjoyed a rapturous reception when delivering their annual financial results over recent years.
But current CEO Stuart Machin would have been hoping for, if not a round of applause, then certainly some decent headlines after the scores on the doors for the year ending 29 March are delivered to the City and the business media in less than a fortnight’s time.
But within a month of the close of a financial year that M&S could hope to celebrate the high street stalwart was hit by an electronic equivalent of an Exocet missile that has left those hopes in tatters.
At the time of writing it is more than three weeks on from Mark’s first public admission of what it coyly described as a “cyber incident” that made it necessary “to make some minor, temporary changes” to store operations.
The impact of the devastating attack will surely turn out to be temporary, one would certainly hope it is not permanent, but “minor” it most certainly is not.
The slump in the share price that followed the admission has not yet played itself out, today they are down another 5%, and the loss of market capitalisation since the crisis started is in danger of hitting the £1 billion mark.
Meanwhile customers remain locked out of the online M&S store, which brings in nearly £4 million of revenue a day, and recruitment has been put on hold.
This is all significant pain that will inevitably overshadow the otherwise encouraging news about Machins’ solid progress in turning round the once ailing blue chip company. And still the end is not in sight.
There is still much we do not know about this hack. It is believed, though not confirmed, to be the work of a cybercriminal network best known as Scattered Spider, but also referred to as UNC3944, Star Fraud, Octo Tempest, Scatter Swine and Muddled Libra.
This is believed to be a group of several hundred English speaking young men, possibly as many as a 1000, based in the UK and America. They are best known for a successful break in to the networks casino operators Caesars Entertainment and MGM Resorts International in September 2023 . Caesars eventually paid a ransom of around $15 million to get card payment systems, hotel room keys, slot machines and ATMs back up and running
It has been reported that the UK ring leader is a 23 year old from Dundee called Tyler Buchanan while another hacker, Noah Urban, better known as “king Bob ran the operation on the other side of the Atlantic.
Buchanan, who goes under the username Tylerb on the encrypted messaging app Telegram, was pictured handcuffed in Spain last summer after being accused of masterminding Scattered Spider operations. He was extradited to California in April 2025.
M&S have said little publicly beyond their two brief updates to shareholders and occasional statements - ringing increasingly hollow - to say “M&S has robust business continuity plans and processes in place for managing incidents.”
But a picture has emerged of the manic internal activity - described by one unnamed insider as “just pure chaos” - since senior management first became aware of the hack on Easter Saturday.
A crisis team Immediately swung into action with meetings at midnight, 3am and 6am on Easter Sunday to coordinate the response. Since then IT teams have been working round the clock , with some sleeping in the office, in the struggle to contain the contagion and at least keep the stores open and able to accept payments. They are still hard at it.
It is not that Britain’s best known retailer was caught totally unprepared. It is understood that Marks senior management war gamed a cyber attack only last year.
But it is clear from the disruption and reputation damage that has been inflected on Marks – and the attempted hacks on fellow retailers, the Co-op and Harrods, that businesses up and down the country are going to have to bolster their defences and take cyber disaster management far more seriously - at the highest level.
As one expert put it: “Every airline has detailed and frequently rehearsed plans in place for their response to a plane crash. Companies in other sectors will have to treat cyber attacks in much the same way.”
The problems crippling M&S’s online operations have been watched with alarm in Government circles already spooked by the threat to critical infrastructure highlighted by the vast power cuts in Spain and Portugal last month.
Cabinet Office minister Pat McFadden told the CyberUK conference in Manchester this week said that the cyber attacks on M&S, the Co-op and Harrods showed that “companies must treat cyber security as an absolute priority” and that these attacks should be a “wake-up call”.
McFadden also led a high level briefing with national security officials and, Richard Horne, the head of National Cyber Security Centre, last Friday about the support being provided to retailers.
But according to Jordan Jewell, senior retail analyst at ecommerce platform VTEX: “No company is immune to this kind of risk. As a company grows, so does its complexity. The more systems, vendors, users, and data involved, the harder it becomes to secure every entry point. An attacker only needs one.
“Fixing the issue takes time because you cannot just restart services. You need to verify which systems were touched, check how far the breach went, and make sure the environment is safe to bring back online. That means cleaning systems, validating configurations, and confirming that no malicious access remains. Restoring confidence means proving that the situation is contained and that similar paths have been closed.
“Ironically, sometimes a company’s extensive investments in sophisticated cybersecurity can themselves foster complacency, turning supposed strengths into surprising vulnerabilities.
“Audit access regularly and make sure people only have what they need to do their job. Invest in monitoring and detection, but also simulate attacks and test your response. That is how you find out what will break before a real attacker does. Most importantly, build a mindset around resilience. Prevent what you can, but assume that one day something will get through. What matters then is how quickly you detect it, how effectively you contain it, and how transparently you handle the fallout.”
Sometimes the breach is made through tactics no more sophisticated than those phishing scams familiar to every consumer.
David Mound, senior penetration tester at third-party risk management platform, SecurityScorecard, said: “Scattered Spider is a highly sophisticated and persistent cybercriminal group, best known for using social engineering to directly target employees and help desks. They typically impersonate staff, trick IT support into resetting credentials, and bypass security controls like multi-factor authentication.”
Back at M&S’s headquarters in Paddington Machin will be praying that his teams can get on top of the breach and restore all the company’s IT systems to full health before he has to stand up and address the outside world about last year’s results on May 21. By then the meltdown, if it still going on, will be a month old. It is truly the stuff of CEO nightmares.
